How to Install Magento Security Patches – The Ultimate Guide

Magento releases patches when it finds any vulnerability in the system to make system more secure, Magento has recently launched the patches on Nov 26, 2014 and Feb 9, 2015, It is very much recommended to install the patch as soon as possible because your Magento store can be vulnerable till then and hacker can hack your data information.

Magento has already released one patch last year, but 80% of Magento stores haven’t applied and so those were vulnerable, so Magento have to send notification to install patches and make your Magento store secure. This Remote code vulnerability was originally founded by Check Point and reported about the issue to Magento.

We have covered the installation fo following patches but you can install other using the same method:

Refer this awesome spreadsheet to know which patches your Magento needs. This sheet is prepared and maintained by JH.

How your store can be hacked?

Hacker can run the malicious code and try to create one fake admin user with all rights in the Magento database leveraging SQL injections. If you think, your website has been hacked, then please try to find usernames in your database: admin_user and ypwq, as these are the names hackers are using so far.

Why You should fix this as soon as possible?

Check Point researchers recently discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data, affecting nearly two hundred thousand online shops.

The important thing is now how to install the patches for the Magento website, here is the simplest guide to apply patches on your magento.

There are 3 ways to install patches, either using SSH and the other one is using FTP or cpanel. Some hosting provider don’t provide the SSH access for your plan, but don’t worry you have other option to follow.

Compilation:

Make sure compilation has been disabled in your store before installing patches. If you haven’t disabled the compiler and installed the patch, test everything and run the compiler to again. It needs to run the compiler to take effect of the code of the patch.

I have explained installation of patches with both the ways here:

Follow this instruction to install patch on your store,

Method 1:

Upload patch files in the root of magento.

Make one file with the name of patch.php, write following code in it,

1

2

3

4

5

6

<?php

print("<PRE>");

passthru("/bin/bash PATCH_SUPEE-5344.sh");

print("</PRE>");

echo"Done";

?>

Replace the file name in it, upload it in the root and run the file from the browser.

Name should be PATCH_SUPEE-5344.sh or PATCH_SUPEE-1533.sh

You should receive following screen once you run patch.php from the browser,

If you are getting error like this,

“Error! Some required system tools, that are utilized in this sh script, are not installed; Tool (s) “patch” is (are) missed, please install it(them).

That means system tools aren’t installed in your server to run the sh script, you can contact your hosting provider or follow another method.

We have updated the patch files for the older Magento versions:
It is very much recommended to use this patches at your own risk, please take backup of your website. It is highly recommaded to upgrade your Magento version to latest one, you can contact us for the Magento Upgrade Service.

SUPEE 6285

It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.

It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.

Method 1

You can follow the same process as stated above for SUPEE 1533, 5344 nad 5994

Method 2

You can follow the same process as stated above for SUPEE 1533 and 5344

SUPEE 9652

SUPEE 9767

1) I’ve installed the patches as instructed, but the warning still keeps showing when I log into Magento admin panel.

Warning is just the notification, you can “mark as read” all those messages if you have successfully installed the patches. If you haven’t either follow the blog post, or do contact us, we will help you with the patch installation for FREE

2) I'm on a shared server and my hosting provider does not allow access via SSH or telnet. Is there another way to install security patches?

We have displayed 2 more methods for the security patch installation, try any one of them. If you know about the FTP, then the File upload method is the best. Make sure you take backup of the files you are overwriting.

3) Fatal error: Class 'Mage_Install_Controller_Router_Install' not found
Warning: include(Mage/Install/Controller/Router/Install.php) function.include:failed to open stream: No such file or directory

Check to see if the file app/code/core/Mage/Install/Controller/Router/Install.php exists.When you ran the patch, the directory Router didn’t exist in app/code/core/Mage/Install/Controller and so the Install.php file did not get created despite being told otherwise in the applied.patches.list file. This means you’re missing a class and you get the message:

4) blank page after installling security patch PATCH_SUPEE-5994

a. Make sure there is a install.php file at this path app/code/core/Mage/Install/Controller/Router/Install.php
with a capital “I”? If not, rename it, so it will start with a capital “I”.
b. Follow the steps shown in question 3
c. Disable the compiler, here is a way to disable without accessing backend.
Find the file config.php in the directory includes. It will look like this:

try again. You will probably be able to login now. Go to your tools, rerun compilation process and when you get a success, go back to your includes/config.php file and uncomment the lines again.

5) Getting: Error! Some required system tools, that are utilized in this sh script, are not installed: Tool(s) patch is(are) missed, please install it(them).

For windows server: If you can’t run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).

For linux server:
The solution is to install the patch package:
yum install patch
Then run sh the patch file:
sh PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh

6) How can I make sure that SUPEE 1533 and SUPEE 5344 have been installed perfectly?

You can check your website for vulnerability here,
https://magento.com/security-patch

You can use our Free Magento Applied Patches extension for the verification.
This extension will only show the result if you have installed the patches using SSH or php file method.

7) How can I make sure that SUPEE 5994 has been installed perfectly?

There is no perfect tool to analyze for SUPEE 5994 verification but you can check the files which patch have modified,

8. I am getting this error while applying patch? What could be the issue?Hunk #1 FAILED at ...1 out of 1 hunks FAILED -- saving rejects to file.

The error you are facing is due to the spacing issue in code, we have mentioned this before as well, in patch files, it has been set that at this line, particular code needs to be changed, if patch doesn’t find the code at specified line it throws this error.

Every code line had a CRLF line (empty line) under it. This could be the reason for this error. You will need to find the file and remove this lines between code from files. In short file needs to match exactly what Magento has in its repository for the patch to apply.

Solution: Download the same exact core files for that particular Magento version fresh from the Magento site and replace them with the old core files, the patch will work perfectly.

Or try this one

Run dos2unix command to convert all line endings to UNIX from DOS
Command~/bash$ dos2unix